A Blog by Jonathan Low


Jun 20, 2012

Evoting: Trust - but Terrify?

Can we ever erase the memory of the hanging chad?

For those who may not recall, the disputed 2000 US Presidential election which ultimately saw George W. Bush ascend to the White House, was decided in part on a panel of judges determining whether perforated little paper slots, called chads, indicated voting intent or not. While the US - and many other democracies - swore the sacred right to vote should never again be subjected to such uncertain determination, the reality has been that we dont much trust other systems either.

The fears about electronic voting systems is that they can (and have been) hacked, that there is often no way to verify that a person's vote has been correctly tallied or that reported totals have not been tampered. The notion of 'trust, but verity' falls short in this instance because across much of the world, trust is in short supply.

This lack of trust is a global phenomenon, not just unique to the US. In Europe, South America and Asia, fractured societies, economic disparities and political extremism have tempered historical belief in the common good. This naturally extends to the voting booth, as well. Providing verification is a relatively simple technological fix. The problem is political. There are those who believe they can gain from manipulating such systems, or prefer to reserve the right to do so, usually, they claim, to protect themselves from unscrupulous behavior by opponents. Others believe such verification is an unjustified expense and are suspicious that the authorities will use such information to track voting records. The result is a stand-off. Yes, e-voting makes as much, or more, sense as e-commerce, but sharing political power appears to be a touchier matter than sharing personal data for commercial purposes.

Which, when we think about it, is quite an amazing commentary on the priorities of our civilization. JL

Steve Schneider and Alan Woodward comment in Scientific American:
With the Presidential elections looming up, some have been asking why the United States is not making more of electronic voting. It’s being adopted in many other countries around the world, with India, Brazil, Estonia, Norway and Switzerland as notable examples. However, the United States has several examples in recent years where it has backed out of electronic voting that it had already implemented.
For example, in 2010, a trial system for remote voting over the Internet in Washington DC (known as the “Digital vote by mail”) was shown to be vulnerable, when it was penetrated by a research team from the University of Michigan, demonstrating how a real attack could render any results unsound, without detection. The attack was documented in a recent paper by researchers from the University of Michigan.

So who is right?

First, it’s important to differentiate between the types of e-voting. To some it means using controlled kiosks in polling stations which collect the votes locally. For others it means those kiosks sending the votes to some central collection system. To others, e-voting is about being able to vote remotely, typically over the Internet. In all cases, the key element of e-voting is that the vote is captured and processed electronically. This has several perceived benefits:

1.More people will be minded to vote. This has obvious advantages as the turnout in developed democracies around the world is often very disappointing, except in countries where it is a legal requirement to vote, such as Austrlia.
2.Accessibility: technology can assist blind and partially sighted voters, and those with mobility impairments, to cast their vote. It can also offer instructions in a range of languages without the cost of printing large numbers of ballot forms in each language.
3.Handling votes at long distances can be done much more quickly and reliably. Voters can vote from anywhere in the world without the need to post ballots or ship ballot boxes.
Given that we already do online banking and shopping, and even remotely vote for popular TV shows, what’s so different about electing our politicians through electronic voting?

It comes down to two principles which are peculiar to these types of elections:

1.Guarantee of integrity with verifiability: an individual who votes needs to be sure that their vote was cast for the person they intended, and has been lodged appropriately. Stories abound from some voters that a system they were using has thanked them for casting their vote for a candidate that they didn’t believe they had voted for, and they have not been able to rectify the situation. There will always be tension within this principle, as security and usability are often seen as opposing forces in system design.
2.Secrecy: online transactions at present, including voting for your favourite act on a TV show, will involve some form of receipt so that the user can see if something has gone wrong. In a voting system, issuing this kind of thing means that some form of audit trail will also be formed, which can tie your action (how you voted) to you personally. Obviously this is something you don’t want in a “secret ballot”. This is possibly the hardest aspect to “guarantee” in an electronic system.

The key difference between this and, say, online banking rests on the fact that we can check bank statements and retain records of transactions, which lets us catch any errors and unauthorised transactions. We can’t do this for voting systems because of the need for ballot secrecy, so we have to trust the voting system instead. This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.

The Holy Grail for electronic voting is “verifiability” which provides the highest level of trust by publishing the election data in a way that can be checked independently. Finding a way to do this is a challenge, but some systems have been proposed which make use of cryptography to secure votes while preventing them from being changed, whilst allowing vote processing to be done in an open and verifiable way.

Scantegrity were the first to run a municipal election in this way, at Takoma Park in November 2009 (and again in 2011), which was independently audited and resulted in no serious objections. Similarly, Helios has run several verifiable elections over the Internet, the largest being for the election of the Recteur (Principal) of the Catholic University of Louvain in Belgium.

Another voter-verifiable system is Prêt à Voter, originally proposed by Peter Ryan of the University of Luxembourg, and which is currently being implemented by the University of Surrey. In Prêt à Voter, “verification” comprises publishing each step in the election process, from the point where the vote is first cast right through to the final tally. It’s just like paper based elections where observers can see votes physically placed in the ballot boxes and watch that they are not tampered with throughout the collection and counting process.

Prêt à Voter makes use of cryptographic techniques to preserve the secrecy of the ballot. It secures the information so that it cannot be tampered with, nor can the person who cast the vote claim it wasn’t them that made a specific vote. All of this is done in such a way that voters can track their vote without providing a casual observer with the linkage between individuals and a specific vote. The processing steps come with mathematical proofs that the votes have been processed, decrypted and tallied correctly.

It’s clear that successful e-voting systems work on the principle of “assume voters will trust but allow them to verify if they wish”. As more e-voting is implemented using this this principle it will become something demanded by voters, as it is not just an automated version of the current manual systems, but something that offers truly verifiable democracy. In an era when people are jaded about the political process, that must surely be a good thing.


Post a Comment